CVE-2026-10525
Received Received - Intake

Stored XSS in NEX-Forms WordPress Plugin

Vulnerability report for CVE-2026-10525, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: WPScan

Description

The NEX-Forms WordPress plugin before 9.2.3 does not sanitise and escape some submitted form data before storing it and outputting it back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against high privilege users such as administrators when they view the submitted entries.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nex-forms nex-forms to 9.2.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The NEX-Forms WordPress plugin before version 9.2.3 has a stored cross-site scripting (XSS) vulnerability. It fails to sanitize and escape submitted form data before storing it and displaying it in the admin dashboard. This allows unauthenticated attackers to inject malicious scripts into form submissions.

Detection Guidance

Check the installed version of the NEX-Forms WordPress plugin. If it is below 9.2.3, the vulnerability likely exists. Inspect form submissions in the admin dashboard for unusual or malicious scripts in the data.

Impact Analysis

This vulnerability allows attackers to execute malicious scripts when high-privilege users like administrators view submitted entries. This could lead to unauthorized actions, data theft, or further compromise of the WordPress site.

Compliance Impact

This vulnerability could potentially violate compliance with GDPR and HIPAA by allowing unauthorized script execution in admin dashboards. Attackers could inject malicious scripts into form submissions, which may lead to data breaches or unauthorized access to sensitive information when viewed by high-privilege users. This could result in non-compliance with data protection requirements.

Mitigation Strategies

Update the NEX-Forms plugin to version 9.2.3 or later immediately. Remove any suspicious form submissions from the admin dashboard. Monitor for unauthorized admin access or unusual activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart